0

我有一个 yada 资源配置如下:

(yada/resource
    {:methods {:get
               {:produces "text/plain"
                :response (fn [ctx]
                            "Hello world!!")}}})

curl -i localhost:8080/api/new返回:

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 13
Content-Type: text/plain
Server: Aleph/0.4.4
Connection: Keep-Alive
Date: Thu, 12 Dec 2019 18:50:42 GMT

Hello world!!

但是当我添加访问控制配置以允许来源时:

(yada/resource
    {:methods {:get
               {:produces "text/plain"
                :response (fn [ctx]
                            "Hello world!!")}}
     :access-control {:allow-origin "*"}})

我没有看到额外的标题:

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 13
Content-Type: text/plain
Server: Aleph/0.4.4
Connection: Keep-Alive
Date: Thu, 12 Dec 2019 18:52:32 GMT

Hello world!!

我也尝试使用https://juxt.pro/yada/manual/index.html#cross-origin-resource-sharing-cors中的示例,但结果相同。

Access to resource at ... from origin ... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource当我尝试从我的 UI 访问端点时,我看到了可怕的情况。

我在这个配置中缺少什么?

4

2 回答 2

0

我认为您的配置是正确的(通常有关于allow 的附带条件"*")。我认为 yada实际上并没有制作标题,除非请求有Origin标题:

(defn access-control-headers [ctx]
  (if-let [origin (get-in ctx [:request :headers "origin"])]
    ;...

这可能解释了您的 curl 调用和您的实际客户端之间的差异。尝试使用 curl -H "Origin: http://origin" -vi http://server/endpoint检查。

于 2020-07-18T14:15:02.550 回答
0

我能够使用以下解决方法:

(yada/resource
    {:methods {:get
               {:produces "text/plain"
                :response (fn [ctx]
                            (let [response (:response ctx)
                                  updated-response (assoc-in response [:headers] {"Access-Control-Allow-Origin" "*"})]
                              (prn updated-response)
                              updated-response))}}})

这是规避内置的响应机制。我还是想知道正确的方法。

于 2019-12-12T20:16:59.373 回答